Cybereason researchers have published a report in which they detail Brazilian threat actor activity in various campaigns that target more than 60 banks around the globe in 2017 through 2018. Researchers analyzed recent activity originating from Brazil and found that the most targeted country in recent campaigns is Spain, with other highly targeted countries including Argentina, Bolivia, Chile, Colombia, Mexico, and Venezuela. Frequently observed Tactic, Techniques, and Procedures (TTPs) consist of the following: DLL hijacking, living off the land via abuse of Microsoft-signed binaries, multiple redirections via URL shorteners and use of Dynamic DNS services, obfuscated PowerShell downloaders, payloads hosted on authentic online storage services and Content Delivery Networks (CNDs), social engineering as initial entry point, and splitting the primary payload into two or more components.

Recommendation: Members of the financial services industry should be aware they are specifically targeted by malware due to the nature of their business. Never open files from unverified sources, and be aware of other infections vectors such as email attachments and infected websites. In addition, Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.